Security Vendors Push Back After NSA Documents Highlight Government Targeting Antivirus, Security Software

The gloves are coming off in the backlash against the NSA, with security vendors pushing back after a report Monday showed the agency targeted antivirus and security software vendors.

The Intercept report, citing documents from whistleblower Edward Snowden, said the NSA and U.K. counterpart Government Communication Headquarters (GCHQ) reverse-engineered security solutions in order to gain access to networks and track users. In particular, in "Project Camberdada" the NSA targeted 23 antivirus vendors around the globe to find security flaws and "repurpose" them for its own needs.

CRN reached out to most of the more than 23 vendors mentioned in the report. The list included vendors such as Kaspersky Lab, AVG, ESET, Avast, Check Point, Bitdefender, Viritpro, fsb-antivirus, F-prot, Norman, eAladdin, F-secure, DrWeb, k7computing, Ikarus, Hauri, Arcabit, Antiy Labs, Spy-Emergency, Nod32, Avira, AhnLab, NoVirusThanks and Emsisoft. Those who decided to comment expressed deep concern about what implications that held for the security industry going forward, particularly around its relationship with the federal government.

[Related: Kaspersky, Partners Concerned Over Report That NSA Infiltrated Security Software, Anti-Virus Vendors]

"The most recent reports claiming that the NSA and the British [GCHQ] have reverse engineered and compromised security software are troubling," Harvey Anderson, AVG Technologies chief legal officer, said in an email. "New limitations on state surveillance recently enacted in the USA Freedom Act are a positive step to ensure user security and peace of mind, but rebuilding trust in the digital ecosystem is a long-term endeavor. We will...continue to monitor this matter," he continued.

One company, in particular, that was targeted by the NSA was Kaspersky Lab, the report said. The report detailed how the NSA and GCHQ were able to reverse-engineer the Kaspersky solutions to obtain information on the solution itself, as well as the customers that used it. As did other companies, a Kaspersky spokesperson said the implications of the report could be dire for the security industry.

"We find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries and are actively working to subvert security software that is designed to keep us all safe," a Kaspersky spokesperson said in an email.

"Once again, we would like to stress the need for security companies to work together as a community and fight for user privacy, the right to privacy on the Internet, thwart mass surveillance and make the world a safer place," the spokesperson continued.

Anderson said AVG is "not aware" of any of its products being compromised, and said the company takes "significant steps" to identify vulnerabilities in its products and prevent reverse-engineering. Other vendors on the list that also confirmed they had scanned their systems and found no evidence of compromise included Check Point, Bitdefender and ESET.

Some notable exceptions from the report's list included U.S.-based companies such as Intel Security (formerly McAfee) and Symantec, as well as U.K.-based Sophos. Symantec said in an email it "had not been undermined." Sophos and Intel Security declined to comment.

The vendors detail the steps they were taking to protect clients, including encryption, behavior-based detection, self-assessment and auditing. As states and espionage agencies become more active, those types of technologies will become critical to protect customers, Bitdefender Chief Security Strategist Alexandru Catalin Cosoi said in an email.

"Our natural response is to push the technical boundaries further so none of our customers feel the increasing government pressure," Cosoi said.

For the security vendors, that could mean working together, an ESET spokesperson said in an email.

"All of us in the information security industry stand together against any efforts designed to weaken our security products," the spokesperson said. "Protecting our customers, our products and our systems against intrusions of any kind, no matter the source is always our first priority."

PUBLISHED JUNE 23, 2015